RE: [discovery-api] CORS support added to NSD API Editor's Draft

Two questions after scheming through the CORS preflight check:
1. Why setting the source origin to the public IP address of the current machine and not to the script origin?

2. Which HTTP methods should actually be checked in advance? GET only? POST? More?
Depending on the particular service implementation of CORS, this initial check may not always be sufficient.
Web apps may anyway need to discover what is authorized by itself.

Regards,
 Youenn

> -----Original Message-----
> From: Rich Tibbett [mailto:richt@opera.com]
> Sent: lundi 7 octobre 2013 05:19
> To: Device APIs Working Group
> Subject: [discovery-api] CORS support added to NSD API Editor's Draft
> 
> I have added an initial version of CORS support to the Editor's Draft of the
> Network Service Discovery API spec.
> 
> The ED version of the spec is in the usual place:
> 
> https://dvcs.w3.org/hg/dap/raw-file/tip/discovery-api/Overview.html

> 
> A diff is available with all CORS-related updates is at:
> 
> https://dvcs.w3.org/hg/dap/diff/f3ea6558ffe1/discovery-

> api/Overview.src.html
> 
> This update is as per the 'alternative' CORS proposal previously introduced
> and discussed in [1] (including the resolved issues in that thread). I believe we
> still need to review and update the Security and Privacy Considerations
> Section further related to security concerns that have been raised elsewhere
> on the mailing list [2].
> 
> Best regards,
> 
> Rich
> 
> [1] http://lists.w3.org/Archives/Public/public-device-

> apis/2013Oct/0014.html
> 
> [2] http://lists.w3.org/Archives/Public/public-device-

> apis/2013Oct/0033.html
> (in reply to: http://lists.w3.org/Archives/Public/public-device-

> apis/2013Oct/0010.html)

Received on Monday, 7 October 2013 08:34:50 UTC